Building LockNote, My Journey into Secure Note Encryption with Rust 🦀

# Building LockNote, My Journey into Secure Note Encryption with Rust 🦀 > Over the past few weeks, I’ve been building a small but meaningful project called **[LockNote](https://github.com/dicethedev/LockNote)**. A command-line tool that lets you store encrypted notes locally using modern cryptography. It started as a curiosity about how password hashing and encryption actually work under the hood, and it quickly turned into a full-on deep dive into **Rust**, **Argon2**, and **AES-GCM**. > This article is my attempt to document that journey and to show what I built, why I built it, and what I learned along the way. --- ## The Idea Behind LockNote I’ve always used note-taking tools like Notion or Google Keep, but I wanted something private, offline, and encrypted, something that doesn’t rely on the cloud. The goal was simple: - Take in a note - Encrypt it using a strong key derived from a password - Store it safely on disk - Be able to decrypt and read it later only with the correct password In short, **LockNote** is a minimal, secure, and portable note storage system, a local vault for personal notes, protected by real cryptographic standards. ## What You Can Store with LockNote LockNote isn’t just for regular notes. You can also use it to securely store: - Wallet seed phrases - Private keys - API secrets or passwords - Personal journals or confidential thoughts Because each note is encrypted individually using **AES-256-GCM**, even if someone steals your locknote.json file, they won’t be able to decrypt it without your master password. That said, remember this: > LockNote’s security depends on your password strength and your local environment. Always use a strong password and keep your device safe, encryption can’t protect against someone with full access to your unlocked system. Think of it like a **digital safe**, incredibly strong on the inside, but still vulnerable if you leave the door open. ## Why I Chose Rust? Rust felt like the perfect choice for this project. I wanted safety, performance, and memory control, without worrying about dangling pointers or accidental leaks. But what really drew me to Rust was its **type system**, **error handling model** and I'm learning, diving into Rust itself. Working with encryption libraries can get tricky fast. Rust’s strict compiler forced me to think clearly about ownership, mutability, and error propagation. At first, that was frustrating. But later, I realized that these guardrails actually make you **design safer systems by default**, especially for something security-sensitive like LockNote. The other reason was the **ecosystem:** crates like: - `argon2` for password hashing - `aes-gcm` for encryption - `tokio` for asynchronous file I/O - and `serde` for handling structured JSON data Together, they made it possible to build a fully secure and async-enabled app in a few hundred lines of code. ## How LockNode Works? When you run `locknote init`, it does three things: 1. Prompts you to set a **master password** 2. Hashes that password with **Argon2**, using a random salt 3. Creates a local JSON “lockfile” to store your encrypted notes Each time you add a note: - A **32-byte AES** key is generated - The note is encrypted using **AES-256-GCM** (a modern, authenticated encryption standard) - The ciphertext, nonce, and metadata are stored in the lockfile When you view or search notes, LockNote decrypts them in memory, never storing the plaintext on disk. In short: your notes are locked with a password that’s never stored, and even if someone grabs your file, all they get is unreadable ciphertext. ## What I learned About Cryptography? This project forced me to really understand how encryption and password hashing differ: - **Password hashing** (like Argon2) is one-way. You can’t decrypt it. It’s used to verify passwords safely. - **Encryption** (like AES-GCM) is two-way. You can decrypt it only if you have the correct key and nonce. I also learned how important **nonces** are, they must be unique for each encryption. And that **Argon2** is not just about hashing, it’s about being deliberately slow and memory-hard, so brute-force attacks are expensive. Rust’s `aes-gcm` crate made me appreciate how much cryptographic safety depends on good defaults and strong randomness sources (`OsRng` in this case). ### Key Features - **AES-256-GCM** encryption for strong confidentiality - **Argon2 password hashing** for secure authentication - **Async I/O with Tokio** for non-blocking performance - **Simple CLI interface** built with clap - **Local JSON storage**, human-readable yet encrypted You can: - `init` — create a secure lockfile - `add` — encrypt and add a note - `list` — see stored notes - `view` — decrypt and read a note - `delete` — remove a note permanently - `search` — find notes matching a keyword ## Testing and Building LockNote Rust’s testing ecosystem made everything easier. I wrote integration tests using the `assert_cmd` crate, which allowed me to simulate running commands like `locknote init` or `locknote add` directly from the test suite. Building a release version was as simple as: ```bash cargo build --release ``` Then running it: ```bash ./target/release/locknote init ./target/release/locknote add ``` You can even copy binary to `/usr/local/bin` and use it anywhere: ```bash sudo cp target/release/locknote /usr/local/bin ``` ### How to Use LockNote Once built, the binary lives in `target/release/locknote`. You can install and use it anywhere: ```bash # build it cargo build --release # initialize ./target/release/locknote init # add a note ./target/release/locknote add # list notes ./target/release/locknote list # view or delete ./target/release/locknote view <id> ./target/release/locknote delete <id> ``` Remember that each note is `AES-GCM` encrypted, and your password is protected by `Argon2` hashing. ## What This Project Taught Me LockNote taught me more than just syntax or library usage, it taught me **how to think securely**. I learned: - How to handle user input and encryption keys safely - The importance of nonces and salts - How async I/O can coexist with cryptographic operations - And how small tools can still teach deep lessons about system design It also reminded me that good security isn’t about writing complicated code, it’s about keeping things simple, auditable, and correct. ## What's Next for LockNote In the future, I’d love to: - Add support for encrypted file attachments - Introduce a password change flow without re-encrypting everything - Maybe even wrap it in a lightweight TUI (terminal UI) for better interaction But for now, LockNote does exactly what I hoped it would, it gives me a personal, offline, secure space for sensitive notes. ## My Final Thoughts I started **LockNote** as a small weekend experiment to learn cryptography with Rust. But it turned into something that not only strengthened my technical skills but also reshaped how I think about privacy and simplicity in software. Rust has this way of making you slow down and think clearly, and when you’re working with encryption, that’s exactly what you need. If you’ve ever wanted to understand how modern encryption actually works or just want to build something private that belongs truly to you, try building your own version of **LockNote**. You’ll learn a lot more than you expect.